Due to my own stupidity* my site was hacked over the weekend, the obvious effect of this was that an iframe was injected into the top of all pages. This iframe contained code that prompted users to download a trojan infected PDF file. I have now fixed this, and also closed the security hole that allowed the malicious user to make the iframe change, which is good news. However, having looked through the server logs (IIS 7) I can see that various POST requests were made by the malicious user and I would like to see the contents of these requests so that I can be certain nothing else has been changed. Does anybody know of a way of achieving this? * The moral to this story is, when your software supplier issues a security update don't sit on it for a couple of weeks, apply it immediately.
it could be injection attack. filter all post variables and dont allow html code check this out: http://corpocrat.com/2009/07/28/filtering-escaping-post-data-from-injection-attacks/
Cheers for the info, I suspected as much. It was a standard upload hole, the software allows users to upload images and these are filtered by extension. However a hole had been introduced that allowed remote users to upload PHP file. The malicious user used this hole to upload an r57shell and from there access areas that normal users should not have access to. All closed now.